Apr 28 2020 06:54 AM
If you have Office 365 E5 licenses, your mailboxes generate MailItemsAccessed events. These events are stored in the Office 365 audit log and can be used for investigating potentially compromised mailboxes. Useful information is in the audit events, but some processing is needed to extract the full benefit. Here's how to do it with PowerShell.
https://www.petri.com/interpreting-the-office-365-mailitemsaccessed-audit-event
Apr 28 2020 08:52 AM
How did you get it to work though? Still zero events captured here, still not able to add MailItemsAccessed to the Audit properties, still throws a license error.
Apr 28 2020 09:51 AM
Apr 28 2020 11:38 PM
Um, the question was "how" :)
Apr 29 2020 01:10 AM
Apr 29 2020 07:28 AM
Well, still no luck in my tenant, with E5. The wait game continues...